Add Montgomery <-> Edwards conversions

daxpedda · daxpedda · commit ef66614a170b · 2025-09-13T15:26:07.000+02:00
diff --git a/ed448-goldilocks/src/edwards/affine.rs b/ed448-goldilocks/src/edwards/affine.rs
@@ -95,37 +95,6 @@ impl AffinePoint {
         }
     }
 
-    pub(crate) fn isogeny(&self) -> Self {
-        let x = self.x;
-        let y = self.y;
-        let mut t0 = x.square(); // x^2
-        let t1 = t0 + FieldElement::ONE; // x^2+1
-        t0 -= FieldElement::ONE; // x^2-1
-        let mut t2 = y.square(); // y^2
-        t2 = t2.double(); // 2y^2
-        let t3 = x.double(); // 2x
-
-        let mut t4 = t0 * y; // y(x^2-1)
-        t4 = t4.double(); // 2y(x^2-1)
-        let xNum = t4.double(); // xNum = 4y(x^2-1)
-
-        let mut t5 = t0.square(); // x^4-2x^2+1
-        t4 = t5 + t2; // x^4-2x^2+1+2y^2
-        let xDen = t4 + t2; // xDen = x^4-2x^2+1+4y^2
-
-        t5 *= x; // x^5-2x^3+x
-        t4 = t2 * t3; // 4xy^2
-        let yNum = t4 - t5; // yNum = -(x^5-2x^3+x-4xy^2)
-
-        t4 = t1 * t2; // 2x^2y^2+2y^2
-        let yDen = t5 - t4; // yDen = x^5-2x^3+x-2x^2y^2-2y^2
-
-        Self {
-            x: xNum * xDen.invert(),
-            y: yNum * yDen.invert(),
-        }
-    }
-
     /// Standard compression; store Y and sign of X
     pub fn compress(&self) -> CompressedEdwardsY {
         let affine_x = self.x;
diff --git a/ed448-goldilocks/src/edwards/extended.rs b/ed448-goldilocks/src/edwards/extended.rs
@@ -331,6 +331,28 @@ impl EdwardsPoint {
         MontgomeryXpoint(u.to_bytes())
     }
 
+    /// Convert this point to [`MontgomeryPoint`]
+    // See https://www.rfc-editor.org/rfc/rfc7748#section-4.2 4-isogeny maps
+    pub fn to_montgomery(&self) -> MontgomeryPoint {
+        // u = y^2/x^2
+        // v = (2 - x^2 - y^2)*y/x^3
+
+        let affine = self.to_affine();
+
+        // TODO: optimize to a single inversion.
+        let xx = affine.x.square();
+        let yy = affine.y.square();
+
+        let u = yy * xx.invert();
+        let v = (FieldElement::TWO - xx - yy) * affine.y * (xx * affine.x).invert();
+
+        MontgomeryPoint::conditional_select(
+            &MontgomeryPoint::new(u, v),
+            &MontgomeryPoint::IDENTITY,
+            self.ct_eq(&Self::IDENTITY),
+        )
+    }
+
     /// Generic scalar multiplication to compute s*P
     pub fn scalar_mul(&self, scalar: &EdwardsScalar) -> Self {
         // Compute floor(s/4)
diff --git a/ed448-goldilocks/src/field/element.rs b/ed448-goldilocks/src/field/element.rs
@@ -4,7 +4,7 @@ use core::ops::{Add, AddAssign, Mul, MulAssign, Neg, Sub, SubAssign};
 
 use super::{ConstMontyType, MODULUS};
 use crate::{
-    AffinePoint, Decaf448, DecafPoint, Ed448, EdwardsPoint,
+    AffinePoint, Decaf448, DecafPoint, Ed448, EdwardsPoint, MontgomeryPoint,
     curve::twedwards::extended::ExtendedPoint as TwistedExtendedPoint,
 };
 use elliptic_curve::ops::Reduce;
@@ -196,7 +196,7 @@ impl MapToCurve for Ed448 {
     type ScalarLength = U84;
 
     fn map_to_curve(element: FieldElement) -> EdwardsPoint {
-        element.map_to_curve_elligator2().isogeny().to_edwards()
+        AffinePoint::from(element.map_to_curve_elligator2_curve448()).to_edwards()
     }
 }
 
@@ -434,7 +434,7 @@ impl FieldElement {
         Self(self.0.div_by_2())
     }
 
-    pub(crate) fn map_to_curve_elligator2(&self) -> AffinePoint {
+    pub(crate) fn map_to_curve_elligator2_curve448(&self) -> MontgomeryPoint {
         let mut t1 = self.square(); // 1.   t1 = u^2
         t1 *= Self::Z; // 2.   t1 = Z * t1              // Z * u^2
         let e1 = t1.ct_eq(&Self::MINUS_ONE); // 3.   e1 = t1 == -1            // exceptional case: Z * u^2 == -1
@@ -454,7 +454,7 @@ impl FieldElement {
         let mut y = y2.sqrt(); // 17.   y = sqrt(y2)
         let e3 = y.is_negative(); // 18.  e3 = sgn0(y) == 1
         y.conditional_negate(e2 ^ e3); //       y = CMOV(-y, y, e2 xor e3)
-        AffinePoint { x, y }
+        MontgomeryPoint::new(x, y)
     }
 
     // See https://www.shiftleft.org/papers/decaf/decaf.pdf#section.A.3.
diff --git a/ed448-goldilocks/src/montgomery/point.rs b/ed448-goldilocks/src/montgomery/point.rs
@@ -4,6 +4,7 @@ use subtle::ConditionallySelectable;
 use subtle::ConstantTimeEq;
 
 use super::{MontgomeryXpoint, ProjectiveMontgomeryXpoint};
+use crate::AffinePoint;
 use crate::field::{ConstMontyType, FieldElement};
 
 /// A point in Montgomery form including the y-coordinate.
@@ -74,6 +75,50 @@ impl From<MontgomeryPoint> for MontgomeryXpoint {
     }
 }
 
+impl From<&MontgomeryPoint> for AffinePoint {
+    // https://www.rfc-editor.org/rfc/rfc7748#section-4.2
+    fn from(value: &MontgomeryPoint) -> AffinePoint {
+        let x = value.x;
+        let y = value.y;
+        let mut t0 = x.square(); // x^2
+        let t1 = t0 + FieldElement::ONE; // x^2+1
+        t0 -= FieldElement::ONE; // x^2-1
+        let mut t2 = y.square(); // y^2
+        t2 = t2.double(); // 2y^2
+        let t3 = x.double(); // 2x
+
+        let mut t4 = t0 * y; // y(x^2-1)
+        t4 = t4.double(); // 2y(x^2-1)
+        let xNum = t4.double(); // xNum = 4y(x^2-1)
+
+        let mut t5 = t0.square(); // x^4-2x^2+1
+        t4 = t5 + t2; // x^4-2x^2+1+2y^2
+        let xDen = t4 + t2; // xDen = x^4-2x^2+1+4y^2
+
+        t5 *= x; // x^5-2x^3+x
+        t4 = t2 * t3; // 4xy^2
+        let yNum = t4 - t5; // yNum = -(x^5-2x^3+x-4xy^2)
+
+        t4 = t1 * t2; // 2x^2y^2+2y^2
+        let yDen = t5 - t4; // yDen = x^5-2x^3+x-2x^2y^2-2y^2
+
+        let x = xNum * xDen.invert();
+        let y = yNum * yDen.invert();
+
+        AffinePoint::conditional_select(
+            &AffinePoint { x, y },
+            &AffinePoint::IDENTITY,
+            value.ct_eq(&MontgomeryPoint::IDENTITY),
+        )
+    }
+}
+
+impl From<MontgomeryPoint> for AffinePoint {
+    fn from(value: MontgomeryPoint) -> Self {
+        (&value).into()
+    }
+}
+
 /// A Projective point in Montgomery form including the y-coordinate.
 #[derive(Copy, Clone, Debug, Eq)]
 pub struct ProjectiveMontgomeryPoint {
@@ -188,6 +233,35 @@ impl From<ProjectiveMontgomeryPoint> for MontgomeryXpoint {
 #[cfg(test)]
 mod tests {
     use super::*;
+    use crate::{EdwardsPoint, MontgomeryScalar};
+
+    #[test]
+    fn to_edwards() {
+        let scalar = MontgomeryScalar::from(200u32);
+
+        // Montgomery scalar mul
+        let montgomery_res = ProjectiveMontgomeryPoint::GENERATOR * scalar * scalar;
+        // Goldilocks scalar mul
+        let goldilocks_point = EdwardsPoint::GENERATOR * scalar.to_scalar() * scalar.to_scalar();
+
+        assert_eq!(goldilocks_point.to_montgomery(), montgomery_res.into());
+    }
+
+    #[test]
+    fn identity_to_edwards() {
+        let edwards = AffinePoint::IDENTITY;
+        let montgomery = MontgomeryPoint::IDENTITY;
+
+        assert_eq!(AffinePoint::from(montgomery), edwards);
+    }
+
+    #[test]
+    fn identity_from_montgomery() {
+        let edwards = EdwardsPoint::IDENTITY;
+        let montgomery = MontgomeryPoint::IDENTITY;
+
+        assert_eq!(edwards.to_montgomery(), montgomery);
+    }
 
     #[test]
     fn to_projective_x() {
diff --git a/ed448-goldilocks/src/montgomery/x.rs b/ed448-goldilocks/src/montgomery/x.rs
@@ -1,6 +1,6 @@
 // use crate::constants::A_PLUS_TWO_OVER_FOUR;
 use super::{MontgomeryPoint, MontgomeryScalar, ProjectiveMontgomeryPoint};
-use crate::edwards::extended::EdwardsPoint;
+use crate::AffinePoint;
 use crate::field::{ConstMontyType, FieldElement};
 use core::fmt;
 use core::ops::Mul;
@@ -94,13 +94,6 @@ impl MontgomeryXpoint {
         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
     ]);
 
-    /// Convert this point to an [`EdwardsPoint`]
-    pub fn to_edwards(&self, _sign: u8) -> Option<EdwardsPoint> {
-        // We use the 4-isogeny to map to the Ed448.
-        // This is different to Curve25519, where we use a birational map.
-        todo!()
-    }
-
     /// Returns true if the point is one of the low order points
     pub fn is_low_order(&self) -> bool {
         (*self == Self::LOW_A) || (*self == Self::LOW_B) || (*self == Self::LOW_C)
@@ -171,6 +164,11 @@ impl MontgomeryXpoint {
 
         MontgomeryPoint::new(x, y)
     }
+
+    /// Convert this point to an [`AffinePoint`]
+    pub fn to_edwards(&self, sign: Choice) -> AffinePoint {
+        self.to_extended(sign).into()
+    }
 }
 
 impl ConstantTimeEq for ProjectiveMontgomeryXpoint {
@@ -320,6 +318,7 @@ impl ProjectiveMontgomeryXpoint {
 mod tests {
 
     use super::*;
+    use crate::EdwardsPoint;
 
     #[test]
     fn test_montgomery_edwards() {
